You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2023/06/12 20:20:00 UTC

[jira] [Created] (NIFI-11680) Buffer Overflow with Connection Load Balancing and Bouncy Castle TLS

David Handermann created NIFI-11680:
---------------------------------------

             Summary: Buffer Overflow with Connection Load Balancing and Bouncy Castle TLS
                 Key: NIFI-11680
                 URL: https://issues.apache.org/jira/browse/NIFI-11680
             Project: Apache NiFi
          Issue Type: Bug
          Components: Core Framework
    Affects Versions: 1.22.0
            Reporter: David Handermann
            Assignee: David Handermann
             Fix For: 1.latest, 2.latest


Cluster Connection Load Balancing is susceptible to a {{BufferOverflowException}} when the Java Virtual Machine is configured with an alternative Security Provider for TLS, such as the Bouncy Castle Security Provider.

The standard JDK [SSLSession implementation|https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java#L1394] provides {{getPacketBufferSize()}} and {{getApplicationBufferSize()}} methods to support runtime determination of required buffer sizes for encrypted and decrypted records. The standard implementation calculates specific sizes based on TLS protocol version.

The Bouncy Castle [SSLSession implementation|https://github.com/bcgit/bc-java/blob/master/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSessionBase.java#L99] uses a hard-coded value of 16384 for the Application Buffer Size and uses a [worst-case scenario calculation|https://github.com/bcgit/bc-java/blob/master/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSessionBase.java#L150] for the Packet Buffer Size.

When running with the Bouncy Castle implementation, the NiFi {{PeerChannel}} can produce encrypted packets that exceed the prepared buffer size, resulting in a {{BufferOverflowException}}.

Instead of using the {{SSLSession}} Application Buffer Size to expand the encrypted prepared buffer, the {{PeerChannel}} method should adjust the prepared buffer based on size of the current destination buffer. This approach should ensure correct behavior regardless of the TLS Security Provider implementation.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)